Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1868246yba; Thu, 25 Apr 2019 07:03:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqwUlJH1c/cSH9vuEcQAr1C5BF5sUS/u/VqBA7StwOdNCnJylKbbK1ZvOC2meiSKxCjHDZAf X-Received: by 2002:a17:902:24a:: with SMTP id 68mr17871551plc.250.1556200998937; Thu, 25 Apr 2019 07:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556200998; cv=none; d=google.com; s=arc-20160816; b=eI7PWPYxAFJMph2cRHXueallI6y5RAeEPQWXt2uQlPdwCVbBl1Ah0QWhg6se0ml1sz 3mIkphoAwGXxG959ziJJ9qPYPekPCDxfgLHJTxyRNAC0yG63ZUcN9X4j5SEUB9YPc5+z i3co0JND3SLQv1qwe4aJdN3Wrs/3Po5Bkdkp1PCYXpG8YloWkp+iOgCeUAEXB6z7m69Z 9emeW6McIJkGhXq9ORkpeGkOUWe0MTrnqTGp0QMaGwadkj1WF5I3EDZaRPcXY66oLG+w u0lnD6GpqfR29Z7SdOXVFKqPUHqr/W7AAVHaJFUoKuKCtM5JQzTSSF5ELhVf4KadBdc0 X8BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=QulxoRwNErBFGDnN9XCRDP03oURJk+3jnZ+stohPrSk=; b=pxSZ/vgYDhDPeKG8M5KZdAV1NPUGbB7yFZp0JYBrkjfn11gqhEtT8U97SnBheji0cb COEVO1tJAi4nWcV8L/UoMRtukMNY4caKBK2Zxpda7bvlFImPNfn0uWQOUVVjpebr9Z+8 fdWULdkxOrE6jsel+CrrjLualXIWa1uQbs8AAwc4B0zRI6iYtuH5BQN3FsY7fWImZqN9 3ZmG+LflYYZMmrWFEQN2bQow90ueYGV13nH2UK/04+ck39vL964aKHYZKrBMs2Hh9wpp vcFilwam01Ro19MMqtOVKIDhrp3B8nTHTWvbdcOxDtJx5iJv8hgTls/Bck08y03TNwcA nEnw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z4si21728150plk.385.2019.04.25.07.03.01; Thu, 25 Apr 2019 07:03:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728469AbfDYMh6 (ORCPT + 99 others); Thu, 25 Apr 2019 08:37:58 -0400 Received: from mx2.suse.de ([195.135.220.15]:33786 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725965AbfDYMh5 (ORCPT ); Thu, 25 Apr 2019 08:37:57 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 6120AAC3D; Thu, 25 Apr 2019 12:37:56 +0000 (UTC) Date: Thu, 25 Apr 2019 14:37:55 +0200 From: Michal Hocko To: Matthew Garrett Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Matthew Garrett , linux-api@vger.kernel.org Subject: Re: [PATCH V2] mm: Allow userland to request that the kernel clear memory on release Message-ID: <20190425123755.GX12751@dhcp22.suse.cz> References: <20190424211038.204001-1-matthewgarrett@google.com> <20190425121410.GC1144@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190425121410.GC1144@dhcp22.suse.cz> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 25-04-19 14:14:10, Michal Hocko wrote: > Please cc linux-api for user visible API proposals (now done). Keep the > rest of the email intact for reference. > > On Wed 24-04-19 14:10:39, Matthew Garrett wrote: > > From: Matthew Garrett > > > > Applications that hold secrets and wish to avoid them leaking can use > > mlock() to prevent the page from being pushed out to swap and > > MADV_DONTDUMP to prevent it from being included in core dumps. Applications > > can also use atexit() handlers to overwrite secrets on application exit. > > However, if an attacker can reboot the system into another OS, they can > > dump the contents of RAM and extract secrets. We can avoid this by setting > > CONFIG_RESET_ATTACK_MITIGATION on UEFI systems in order to request that the > > firmware wipe the contents of RAM before booting another OS, but this means > > rebooting takes a *long* time - the expected behaviour is for a clean > > shutdown to remove the request after scrubbing secrets from RAM in order to > > avoid this. > > > > Unfortunately, if an application exits uncleanly, its secrets may still be > > present in RAM. This can't be easily fixed in userland (eg, if the OOM > > killer decides to kill a process holding secrets, we're not going to be able > > to avoid that), so this patch adds a new flag to madvise() to allow userland > > to request that the kernel clear the covered pages whenever the page > > reference count hits zero. Since vm_flags is already full on 32-bit, it > > will only work on 64-bit systems. The changelog seems stale. You are hooking into unmap path where the reference count might be still > 0 and the page still held by somebody. A previous email from Willy said " It could be the target/source of direct I/O, or userspace could have registered it with an RDMA device, or ... It depends on the semantics you want. There's no legacy code to worry about here. I was seeing this as the equivalent of an atexit() handler; userspace is saying "When this page is unmapped, zero it". So it doesn't matter that somebody else might be able to reference it -- userspace could have zeroed it themselves. " I am not sure this is really a bullet proof argumentation but it should definitely be part of the changelog. Besides that you inherently assume that the user would do mlock because you do not try to wipe the swap content. Is this intentional? Another question would be regarding the targeted user API. There are some attempts to make all the freed memory to be zeroed/poisoned. Are users who would like to use this feature also be interested in using system wide setting as well? -- Michal Hocko SUSE Labs